Skip to content

HDDS-13909. [STS] Introduce STSTokenIdentifier class #9277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sodonnel merged 5 commits into from
Nov 17, 2025
Merged

HDDS-13909. [STS] Introduce STSTokenIdentifier class #9277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e9d4b1e
introduce STSTokenIdentifier class
Nov 11, 2025
70f9a2b
update formatting
Nov 14, 2025
2f611b2
misc updates
Nov 14, 2025
609e753
fix CI issue and make the empty constructor public
Nov 16, 2025
4b1164f
fix formatting from a previous PR
Nov 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -761,12 +761,8 @@ public Iterator<OzoneSnapshotDiff> listSnapshotDiffJobs(
* @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
* @throws IOException if an error occurs during the AssumeRole operation
*/
public AssumeRoleResponseInfo assumeRole(
String roleArn,
String roleSessionName,
int durationSeconds,
String awsIamSessionPolicy
) throws IOException {
public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
String awsIamSessionPolicy) throws IOException {
return proxy.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
}

Expand Down
8 changes: 2 additions & 6 deletions ...op-ozone/client/src/main/java/org/apache/hadoop/ozone/client/protocol/ClientProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1370,10 +1370,6 @@ void deleteObjectTagging(String volumeName, String bucketName, String keyName)
* @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
* @throws IOException if an error occurs during the AssumeRole operation
*/
AssumeRoleResponseInfo assumeRole(
String roleArn,
String roleSessionName,
int durationSeconds,
String awsIamSessionPolicy
) throws IOException;
AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
String awsIamSessionPolicy) throws IOException;
}
8 changes: 2 additions & 6 deletions hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2792,12 +2792,8 @@ public void deleteObjectTagging(String volumeName, String bucketName,
}

@Override
public AssumeRoleResponseInfo assumeRole(
String roleArn,
String roleSessionName,
int durationSeconds,
String awsIamSessionPolicy
) throws IOException {
public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
String awsIamSessionPolicy) throws IOException {
return ozoneManagerClient.assumeRole(roleArn, roleSessionName, durationSeconds, awsIamSessionPolicy);
}

Expand Down
49 changes: 12 additions & 37 deletions ...ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/AssumeRoleResponseInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,30 +53,19 @@ public String getAssumedRoleId() {
return assumedRoleId;
}

public AssumeRoleResponseInfo(
String accessKeyId,
String secretAccessKey,
String sessionToken,
long expirationEpochSeconds,
String assumedRoleId
) {
public AssumeRoleResponseInfo(String accessKeyId, String secretAccessKey, String sessionToken,
long expirationEpochSeconds, String assumedRoleId) {
this.accessKeyId = accessKeyId;
this.secretAccessKey = secretAccessKey;
this.sessionToken = sessionToken;
this.expirationEpochSeconds = expirationEpochSeconds;
this.assumedRoleId = assumedRoleId;
}

public static AssumeRoleResponseInfo fromProtobuf(
AssumeRoleResponse response
) {
public static AssumeRoleResponseInfo fromProtobuf(AssumeRoleResponse response) {
return new AssumeRoleResponseInfo(
response.getAccessKeyId(),
response.getSecretAccessKey(),
response.getSessionToken(),
response.getExpirationEpochSeconds(),
response.getAssumedRoleId()
);
response.getAccessKeyId(), response.getSecretAccessKey(), response.getSessionToken(),
response.getExpirationEpochSeconds(), response.getAssumedRoleId());
}

public AssumeRoleResponse getProtobuf() {
Expand All @@ -91,19 +80,13 @@ public AssumeRoleResponse getProtobuf() {

@Override
public String toString() {
return "AssumeRoleResponseInfo{" +
"accessKeyId='" + accessKeyId + '\'' +
", secretAccessKey='" + secretAccessKey + '\'' +
", sessionToken='" + sessionToken + '\'' +
", expirationEpochSeconds=" + expirationEpochSeconds +
", assumedRoleId='" + assumedRoleId + '\'' +
'}';
return "AssumeRoleResponseInfo{" + "accessKeyId='" + accessKeyId + "', secretAccessKey='" + secretAccessKey +
"', sessionToken='" + sessionToken + "', expirationEpochSeconds=" + expirationEpochSeconds +
", assumedRoleId='" + assumedRoleId + "'}";
}

@Override
public boolean equals(
Object o
) {
public boolean equals(Object o) {
if (this == o) {
return true;
}
Expand All @@ -113,21 +96,13 @@ public boolean equals(
}

final AssumeRoleResponseInfo that = (AssumeRoleResponseInfo) o;
return expirationEpochSeconds == that.expirationEpochSeconds &&
Objects.equals(accessKeyId, that.accessKeyId) &&
Objects.equals(secretAccessKey, that.secretAccessKey) &&
Objects.equals(sessionToken, that.sessionToken) &&
return expirationEpochSeconds == that.expirationEpochSeconds && Objects.equals(accessKeyId, that.accessKeyId) &&
Objects.equals(secretAccessKey, that.secretAccessKey) && Objects.equals(sessionToken, that.sessionToken) &&
Objects.equals(assumedRoleId, that.assumedRoleId);
}

@Override
public int hashCode() {
return Objects.hash(
accessKeyId,
secretAccessKey,
sessionToken,
expirationEpochSeconds,
assumedRoleId
);
return Objects.hash(accessKeyId, secretAccessKey, sessionToken, expirationEpochSeconds, assumedRoleId);
}
}
12 changes: 3 additions & 9 deletions ...-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocol/OzoneManagerProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1187,14 +1187,8 @@ default void deleteObjectTagging(OmKeyArgs args) throws IOException {
* @return AssumeRoleResponseInfo The AssumeRole response information containing temporary credentials
* @throws IOException if an error occurs during the AssumeRole operation
*/
default AssumeRoleResponseInfo assumeRole(
String roleArn,
String roleSessionName,
int durationSeconds,
String awsIamSessionPolicy
) throws IOException {
throw new UnsupportedOperationException(
"OzoneManager does not require this to be implemented"
);
default AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
String awsIamSessionPolicy) throws IOException {
throw new UnsupportedOperationException("OzoneManager does not require this to be implemented");
}
}
11 changes: 3 additions & 8 deletions ...ava/org/apache/hadoop/ozone/om/protocolPB/OzoneManagerProtocolClientSideTranslatorPB.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2652,12 +2652,8 @@ public void deleteObjectTagging(OmKeyArgs args) throws IOException {
}

@Override
public AssumeRoleResponseInfo assumeRole(
String roleArn,
String roleSessionName,
int durationSeconds,
String awsIamSessionPolicy
) throws IOException {
public AssumeRoleResponseInfo assumeRole(String roleArn, String roleSessionName, int durationSeconds,
String awsIamSessionPolicy) throws IOException {
final OzoneManagerProtocolProtos.AssumeRoleRequest.Builder request =
OzoneManagerProtocolProtos.AssumeRoleRequest.newBuilder()
.setRoleArn(roleArn)
Expand All @@ -2670,8 +2666,7 @@ public AssumeRoleResponseInfo assumeRole(
.build();

return AssumeRoleResponseInfo.fromProtobuf(
handleError(submitRequest(omRequest)).getAssumeRoleResponse()
);
handleError(submitRequest(omRequest)).getAssumeRoleResponse());
}

private SafeMode toProtoBuf(SafeModeAction action) {
Expand Down
129 changes: 20 additions & 109 deletions ...e/common/src/test/java/org/apache/hadoop/ozone/om/helpers/TestAssumeRoleResponseInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,7 @@ public class TestAssumeRoleResponseInfo {
@Test
public void testConstructor() {
final AssumeRoleResponseInfo response = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertEquals(ACCESS_KEY_ID, response.getAccessKeyId());
assertEquals(SECRET_ACCESS_KEY, response.getSecretAccessKey());
Expand All @@ -63,12 +58,7 @@ public void testConstructor() {
@Test
public void testProtobufConversion() {
final AssumeRoleResponseInfo response = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponse proto = response.getProtobuf();

Expand Down Expand Up @@ -102,12 +92,7 @@ public void testFromProtobuf() {
@Test
public void testProtobufRoundTrip() {
final AssumeRoleResponseInfo originalResponse = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponse proto = originalResponse.getProtobuf();
final AssumeRoleResponseInfo recoveredResponse = AssumeRoleResponseInfo.fromProtobuf(proto);
Expand All @@ -118,20 +103,10 @@ public void testProtobufRoundTrip() {
@Test
public void testEqualsAndHashCodeWithIdenticalObjects() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertEquals(response1, response2);
assertEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -140,20 +115,10 @@ public void testEqualsAndHashCodeWithIdenticalObjects() {
@Test
public void testNotEqualsAndHashCodeWithDifferentAccessKeyId() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
"DIFFERENT_KEY_ID",
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
"DIFFERENT_KEY_ID", SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertNotEquals(response1, response2);
assertNotEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -162,20 +127,10 @@ public void testNotEqualsAndHashCodeWithDifferentAccessKeyId() {
@Test
public void testNotEqualsAndHashCodeWithDifferentSecretAccessKey() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
"DIFFERENT_SECRET_KEY",
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, "DIFFERENT_SECRET_KEY", SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertNotEquals(response1, response2);
assertNotEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -184,20 +139,10 @@ public void testNotEqualsAndHashCodeWithDifferentSecretAccessKey() {
@Test
public void testNotEqualsAndHashCodeWithDifferentSessionToken() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
"DIFFERENT_TOKEN",
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, "DIFFERENT_TOKEN", EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertNotEquals(response1, response2);
assertNotEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -206,20 +151,10 @@ public void testNotEqualsAndHashCodeWithDifferentSessionToken() {
@Test
public void testNotEqualsAndHashCodeWithDifferentExpirationEpochSeconds() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
9999999999L,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, 9999999999L, ASSUMED_ROLE_ID);

assertNotEquals(response1, response2);
assertNotEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -228,20 +163,10 @@ public void testNotEqualsAndHashCodeWithDifferentExpirationEpochSeconds() {
@Test
public void testNotEqualsAndHashCodeWithDifferentAssumedRoleId() {
final AssumeRoleResponseInfo response1 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final AssumeRoleResponseInfo response2 = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
"DIFFERENT_ROLE_ID"
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, "DIFFERENT_ROLE_ID");

assertNotEquals(response1, response2);
assertNotEquals(response1.hashCode(), response2.hashCode());
Expand All @@ -250,34 +175,20 @@ public void testNotEqualsAndHashCodeWithDifferentAssumedRoleId() {
@Test
public void testNotEqualsWithNull() {
final AssumeRoleResponseInfo response = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

assertNotEquals(null, response);
}

@Test
public void testToString() {
final AssumeRoleResponseInfo response = new AssumeRoleResponseInfo(
ACCESS_KEY_ID,
SECRET_ACCESS_KEY,
SESSION_TOKEN,
EXPIRATION_EPOCH_SECONDS,
ASSUMED_ROLE_ID
);
ACCESS_KEY_ID, SECRET_ACCESS_KEY, SESSION_TOKEN, EXPIRATION_EPOCH_SECONDS, ASSUMED_ROLE_ID);

final String toString = response.toString();
final String expectedString = "AssumeRoleResponseInfo{" +
"accessKeyId='" + ACCESS_KEY_ID + '\'' +
", secretAccessKey='" + SECRET_ACCESS_KEY + '\'' +
", sessionToken='" + SESSION_TOKEN + '\'' +
", expirationEpochSeconds=" + EXPIRATION_EPOCH_SECONDS +
", assumedRoleId='" + ASSUMED_ROLE_ID + '\'' +
'}';
final String expectedString = "AssumeRoleResponseInfo{" + "accessKeyId='" + ACCESS_KEY_ID +
"', secretAccessKey='" + SECRET_ACCESS_KEY + "', sessionToken='" + SESSION_TOKEN +
"', expirationEpochSeconds=" + EXPIRATION_EPOCH_SECONDS + ", assumedRoleId='" + ASSUMED_ROLE_ID + "'}";

assertNotNull(toString);
assertEquals(expectedString, toString);
Expand Down
Loading